Reports have surfaced that U.S. Customs and Border Protection (CBP) officials have announced that photos of travelers have been compromised as part of a “malicious cyber-attack. Customs officials said in a statement yesterday that the images, which included photos of people’s license plates, had been compromised as part of an attack on a federal subcontractor. The agency maintains a database including passport and visa photos that is used at airports as part of an agency facial-recognition program. CBP declined to say what images were stolen or how many people were affected.
Tim Mackey, Principal Security Strategist at Synopsys CyRC (Cybersecurity Research Center):
“Any disclosure of traveler information is obviously concerning to anyone who has crossed the US border recently, but should be looked at through the lens of how the evolution of technology is occurring at our borders. With Trusted Traveler programs like Global Entry, Nexus and Mobile Passports becoming the norm for frequent travelers and with pilot programs using facial recognition systems occurring with some airlines, public confidence in the security of traveler data and cross border commerce is paramount. Due to the nature of the data involved in cross border activities, CBP and its sub-contractors are a prime target for malicious actors seeking to disrupt travel and trade between the US and its partners. In the case of this breach, CBP disclosed sensitive image data relating to border crossings was transferred from CBP to one of its sub-contractors contrary to CBP policies. From an IT governance perspective, this data transfer calls into question the level of authorisation required for data transfer between systems connected to a CBP network and serves as a lesson for everyone running an IT system with access to sensitive data.
“While it may be tempting to critique CBP and its contractors, a far more productive approach would be to look at the level of controls within our respective enterprise networks. After all, if a data breach like this can occur within CBP then how easy would it be for someone to replicate the attack within an enterprise network? Enterprise IT leaders should look carefully at their threat models and determine if they have a sufficiently granular level of authentication and authorization controls for data access. In the process, a review of monitoring tools should be performed to identify any gaps in access logging which could cause unexpected data transfers to occur undetected. While reviewing the threat model and monitoring controls, it’s also an opportune time to review data collection and retention policies and feed this information back into the threat model to validate if its covering all current threats.”
Dr Darren Williams, CEO and Founder at BlackFog:
“Nobody is safe from cyberattack – not even US government agencies. With this latest data breach targeting travellers’ sensitive and personal information, it’s clear that organisations need to improve their cybersecurity practices. In particular, the risks that third-party subcontractors pose to cybersecurity practices are increasingly evident. The emphasis on protecting consumer data needs to not only be woven through an organisation’s culture, but also in all of its contractor relationships.
“This means having honest conversations at the outset of procurement to conduct due diligence on a contractor’s cybersecurity protocols. Just as a business would credit check potential suppliers to ensure they have the necessary cashflow, organisations need to get suppliers to validate they have strong perimeter defence, data loss prevention measures, and preventative cybersecurity approaches in place, to avoid breaches like this from continuing to happen.”
Sherrod DeGrippo, Senior Director of Threat Research and Detection:
“It is critical that organisations prioritize the security and access controls of their vendors, providers, and partners. These groups regularly handle sensitive data and must be examined by organisations thoroughly as they have the same culpability as the organisation itself. We recommend that organisations review subcontractors and other providers’ data security posture as if it were their own. Additionally, organisations can develop threat profiles that highlight areas of risk across verticals and implement a proactive people-centric security approach that mitigates each threat appropriately.”
Justin Fox, Director of DevOps Engineering at NuData Security:
“Policies need to be hammered out to protect people’s privacy. How data is stored, secured, monitored, removed… the reasons why data is stored and how we intend to use it needs to be determined before a solution is implemented. To be clear – this was a double data breach. First the CBP had data accessed and copied by a subcontractor without the agency’s consent and then the subcontractors’ network was breached. As airlines implement facial recognition to speed customers through the check-in process, they should be planning a secure implementation with considerations to monitoring and reporting on unauthorized access. For airports, facial recognition technology promises a convenient and easy mechanism to move people through at a faster pace and provide key services. It can even act as a second factor during the authentication process, providing a quick and easy way of identifying people. However, the issue of convenience versus privacy will be an ongoing debate for governments and companies alike. Technical glitches and problems with accuracy show that the consequences for a misidentified consumer could be severe, especially when used in law enforcement scenarios (like no-fly lists).”
Irra Ariella Khi, CEO at VChain Technologies:
“The access to CBP data via a third party contractor speaks to a bigger issue with the use of biometric data for customs and immigration. Facial recognition technology has been developed and widely adopted, but government agencies the world over have been much slower at adopting the technology that allows the safe storage, transfer and verification of that data. Without that vital data security element, governments are creating more security issues than solutions, as data can all too easily fall into malicious hands and expose governments and citizens alike.
“It is not hard to identify the mistakes that were made in this case. This highly-sensitive ‘personally identifiable information’ should not have been either exposed to or stored as a copy by the subcontractor in a central, third party database. While none of the CBP’s own systems were compromised, this also would have been avoided if the images were stored or shared in a way that made the original images inaccessible. All data of this level of sensitivity should be obscured – encrypted and unrecognisable – before being shared, stored or transferred.
“If the right suppliers are used, there should be little need for anything more than a secure signal that governments can use in order to to verify that an individual is who they say they are, but would be utterly useless should anyone get a hold of that secure signal. This technology exists and governments should adopt the safest of security practices and innovative technology with the same level of pertinacity that they adopt biometrics.”
Dov Goldman, Director of Risk & Compliance at Panorays:
“It is high time for some serious examination of how governments evaluate the contractors they hire to collect and evaluate personal data like facial photographs used for identity recognition, license plates, bank accounts, credit cards and where you are on any given data – much of it very private, sensitive information in anyone’s book. With two serious data breaches in two weeks, everyone should be extremely concerned with the information security and privacy practices of the technology companies our government uses to collect and evaluate information about citizens. The Federal Information Systems Act (FISMA) of 2002, amended in 2014 as the Federal Information Security Modernization Act, mandates best practices for safeguarding data and information systems. Contractors to the Federal Government are required to comply with FISMA, which they can do by implementing the NIST information security control standards. With modern, commercially available tools and systems, a government agency can evaluate how well third-party vendors comply with NIST before a contract is awarded, and monitor the vendors they select continuously for cyber vulnerabilities afterwards. It’s great that governments are using the latest technologies to make life easier and safer for citizens; they need to implement their own rules, such as FISMA, to ensure our privacy as well.”
Jake Moore, Cybersecurity Specialist at ESET:
“This once again highlights the knock-on effects of third-party cyber-attacks and the implications caused by a lack of cybersecurity. Although the dataset has not yet been located online, no doubt it will find its way onto the dark web in due course. There is a chance phishing emails could occur but more importantly, such data could be used in conjunction with facial recognition software. Vetting third parties is hugely important when dealing with sensitive and personal data so maybe penetration testing companies could be included when due diligence is carried out on prospective new clients.”